From 79522144ea76fd62af6ee17246913eef88be30b7 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Thu, 25 Sep 2014 21:29:46 -0300 Subject: Update freeradius2 to 1.6.8: - Remove old 2.0 code - Make adjustments for 2.2 - Use internal bash --- config/freeradius2/freeradius.inc | 351 ++++++++++++-------------- config/freeradius2/freeradius_view_config.php | 14 +- config/freeradius2/freeradiussettings.xml | 2 +- pkg_config.10.xml | 2 +- pkg_config.8.xml | 2 +- pkg_config.8.xml.amd64 | 2 +- 6 files changed, 169 insertions(+), 204 deletions(-) diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index a18872fc..1370bcb8 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -48,63 +48,62 @@ require_once("services.inc"); // Check pfSense version $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version > 2.0){ - define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m")); -} -else{ - define('FREERADIUS_BASE', '/usr/local'); +define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m")); +$bash_path = FREERADIUS_BASE . "/bin/bash"; + +if ($pfs_version == "2.1") { + define('FREERADIUS_LIB', FREERADIUS_BASE . '/lib'); + define('FREERADIUS_ETC', FREERADIUS_BASE . '/etc'); +} else { + define('FREERADIUS_LIB', FREERADIUS_BASE . '/local/lib'); + define('FREERADIUS_ETC', FREERADIUS_BASE . '/local/etc'); } // Check freeradius lib version $frlib=""; - $libfiles = scandir(FREERADIUS_BASE . "/lib/"); - foreach ($libfiles as $libfile){ - if (preg_match("/freeradius-/",$libfile)) - $frlib=FREERADIUS_BASE . "/lib/{$libfile}"; + if (file_exists(FREERADIUS_LIB)) { + $libfiles = scandir(FREERADIUS_LIB); + foreach ($libfiles as $libfile){ + if (preg_match("/freeradius-/",$libfile)) + $frlib=FREERADIUS_BASE . "/lib/{$libfile}"; + } } if ($frlib == ""){ log_error("freeRADIUS - No freeradius lib found on ".FREERADIUS_BASE."/lib"); } function freeradius_deinstall_command() { - if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") { - exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`"); - exec("rm -rf " . FREERADIUS_BASE . "/etc/raddb"); - exec("rm -rf /var/run/radiusd/"); - } + return; } function freeradius_install_command() { global $config; conf_mount_rw(); - // put the constant to a variable - $varFREERADIUS_BASE = FREERADIUS_BASE; - // We create here different folders for different counters. if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); } if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter"); } - exec("mkdir " . FREERADIUS_BASE . "/etc/raddb/scripts"); + exec("mkdir " . FREERADIUS_ETC . "/raddb/scripts"); if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp"); } if (!file_exists("/var/log/radwtmp")) { exec("touch /var/log/radwtmp"); } - exec("chown -R root:wheel " . FREERADIUS_BASE . "/etc/raddb && chown -R root:wheel {$frlib} && chown -R root:wheel /var/log/radacct"); + exec("chown -R root:wheel " . FREERADIUS_ETC . "/raddb && chown -R root:wheel {$frlib} && chown -R root:wheel /var/log/radacct"); // creating a backup file of the original policy.conf no matter if user checked this or not - if (!file_exists(FREERADIUS_BASE . "/etc/raddb/policy.conf.backup")) { - log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/policy.conf.backup"); - copy(FREERADIUS_BASE . "/etc/raddb/policy.conf", FREERADIUS_BASE . "/etc/raddb/policy.conf.backup"); + if (!file_exists(FREERADIUS_ETC . "/raddb/policy.conf.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/policy.conf.backup"); + copy(FREERADIUS_ETC . "/raddb/policy.conf", FREERADIUS_ETC . "/raddb/policy.conf.backup"); } // creating a backup file of the original /modules/files no matter if user checked this or not - if (!file_exists(FREERADIUS_BASE . "/etc/raddb/files.backup")) { - log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/files.backup"); - copy(FREERADIUS_BASE . "/etc/raddb/modules/files", FREERADIUS_BASE . "/etc/raddb/files.backup"); + if (!file_exists(FREERADIUS_ETC . "/raddb/files.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/files.backup"); + copy(FREERADIUS_ETC . "/raddb/modules/files", FREERADIUS_ETC . "/raddb/files.backup"); } // Disable virtual-server we do not need by default - if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket"); } - if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel"); } + if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); } + if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel"); } // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); @@ -130,8 +129,8 @@ function freeradius_install_command() { $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; - $rcfile['start'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestart'; - $rcfile['stop'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestop'; + $rcfile['start'] = FREERADIUS_ETC . '/rc.d/radiusd onestart'; + $rcfile['stop'] = FREERADIUS_ETC . '/rc.d/radiusd onestop'; write_rcfile($rcfile); conf_mount_ro(); start_service("radiusd"); @@ -251,7 +250,7 @@ extended_expressions = $varsettingsextendedexpressions EOD; // Deletes virtual-server coa by default. Will be re-enabled if there is an interface-type "coa" -exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/coa"); +exec("rm -f " . FREERADIUS_ETC . "/raddb/sites-enabled/coa"); $arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config']; if (is_array($arrinterfaces) && !empty($arrinterfaces)) { @@ -278,7 +277,7 @@ EOD; // Begin "if" for interface-type = coa if ($item['varinterfacetype'] == 'coa') { // Enables virtual-server coa because interface-type is coa - exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/coa " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/"); + exec("ln -s " . FREERADIUS_ETC . "/raddb/sites-available/coa " . FREERADIUS_ETC . "/raddb/sites-enabled/"); $conf .= << /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`"); // if used-octets file exist we do NOT overwrite this file!!! @@ -598,7 +597,7 @@ EOD; } //end foreach } // end if - $filename = FREERADIUS_BASE . '/etc/raddb/users'; + $filename = FREERADIUS_ETC . '/raddb/users'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -764,7 +763,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsmaxtotaloctets != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } //create exec script - $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; + $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_ETC . '/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; // create limit file - will be always overwritten so we can increase limit from GUI exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`"); // if used-octets file exist we do NOT overwrite this file!!! @@ -792,7 +791,7 @@ EOD; } //end foreach } // end if - $filename = FREERADIUS_BASE . '/etc/raddb/authorized_macs'; + $filename = FREERADIUS_ETC . '/raddb/authorized_macs'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -863,7 +862,7 @@ EOD; } conf_mount_rw(); - file_put_contents(FREERADIUS_BASE . '/etc/raddb/clients.conf', $conf); + file_put_contents(FREERADIUS_ETC . '/raddb/clients.conf', $conf); conf_mount_ro(); freeradius_sync_on_changes(); @@ -931,12 +930,12 @@ function freeradius_eapconf_resync() { // This is for enable/disbable MS SoH in EAP-PEAP and the virtuial-server "soh-server" if ($eapconf['vareapconfpeapsohenable'] == 'Enable') { $vareapconfpeapsoh = 'soh = yes' . "\n\t\t\tsoh_virtual_server = " . '"' . "soh-server" . '"'; - exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/soh " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/"); + exec("ln -s " . FREERADIUS_ETC . "/raddb/sites-available/soh " . FREERADIUS_ETC . "/raddb/sites-enabled/"); } else { $vareapconfpeapsoh = '### MS SoH Server is disabled ###'; - if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh")) { - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh"); + if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/soh")) { + exec("rm -f " . FREERADIUS_ETC . "/raddb/sites-enabled/soh"); } } @@ -950,9 +949,9 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_key.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_key.pem'; } @@ -965,24 +964,24 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { else{ $check_crl="check_crl = no"; } - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_cert.pem", base64_decode($ca_cert['crt']). $crl); - $conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem"; + $conf['ssl_ca_cert'] = FREERADIUS_ETC . "/raddb/certs/ca_cert.pem"; } $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_key.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/server_key.pem", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/server_key.pem'; + $conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/server_key.pem'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/server_cert.pem", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem"; + $conf['ssl_server_cert'] = FREERADIUS_ETC . "/raddb/certs/server_cert.pem"; } /* Not needed anymore because pfsense can do this by default @@ -990,23 +989,23 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $svr_cert = lookup_cert($eapconf["ssl_client_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/client_key.pem", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/client_key.pem'; + $conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/client_key.pem'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/client_cert.pem", base64_decode($svr_cert['crt'])); - $conf['ssl_client_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem"; + $conf['ssl_client_cert'] = FREERADIUS_ETC . "/raddb/certs/client_cert.pem"; } - exec("openssl pkcs12 -export -in " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem -inkey " . FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem -out " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.p12 -passout pass\:"); + exec("openssl pkcs12 -export -in " . FREERADIUS_ETC . "/raddb/certs/client_cert.pem -inkey " . FREERADIUS_ETC . "/raddb/certs/client_key.pem -out " . FREERADIUS_ETC . "/raddb/certs/client_cert.p12 -passout pass\:"); } */ - $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs'; } $vareapconfprivatekeyfile = 'server_key.pem'; @@ -1015,11 +1014,11 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { // generate new DH and RANDOM file // We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files - if (!file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) { - log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs"); - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024"); - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); - exec("touch " . FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr"); + if (!file_exists(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr")) { + log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in " . FREERADIUS_ETC . "/raddb/certs"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && dd if=/dev/urandom of=./random count=10"); + exec("touch " . FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr"); } } @@ -1114,7 +1113,7 @@ else { } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/eap.conf'; + $filename = FREERADIUS_ETC . '/raddb/eap.conf'; file_put_contents($filename, $conf); chmod($filename, 0640); conf_mount_ro(); @@ -1280,7 +1279,7 @@ sql sql2 { } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/sql.conf'; + $filename = FREERADIUS_ETC . '/raddb/sql.conf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2128,7 +2127,7 @@ post-proxy { } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/sites-available/default'; + $filename = FREERADIUS_ETC . '/raddb/sites-available/default'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2223,7 +2222,7 @@ authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/certs/ca.cnf'; + $filename = FREERADIUS_ETC . '/raddb/certs/ca.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2308,7 +2307,7 @@ emailAddress = $varcertsserveremailaddress commonName = "$varcertsservercommonname" EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/certs/server.cnf'; + $filename = FREERADIUS_ETC . '/raddb/certs/server.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2393,7 +2392,7 @@ emailAddress = $varcertsclientemailaddress commonName = "$varcertsclientcommonname" EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/certs/client.cnf'; + $filename = FREERADIUS_ETC . '/raddb/certs/client.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2426,12 +2425,12 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { if ($arrcerts['varcertscreateclient'] == 'yes') { // delete all old certificates and keys - log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in " . FREERADIUS_BASE . "/etc/raddb/certs"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); + log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in " . FREERADIUS_ETC . "/raddb/certs"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.csr"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.crt"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.key"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.pem"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.tar"); // run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml @@ -2439,21 +2438,21 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { // make bootstrap executable and run to create cert based on client.cnf files - exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); - exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); + exec("chmod 0770 " . FREERADIUS_ETC . "/raddb/certs/bootstrap"); + exec(FREERADIUS_ETC . "/raddb/certs/bootstrap"); // rename client generated XX.pem to client.pem // use regex to replace spaces and so on. - $varserial = preg_replace("/\s/","",file_get_contents(FREERADIUS_BASE . '/etc/raddb/certs/serial.old')); - if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem")) - rename(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); + $varserial = preg_replace("/\s/","",file_get_contents(FREERADIUS_ETC . '/raddb/certs/serial.old')); + if (file_exists(FREERADIUS_ETC . "/raddb/certs/$varserial.pem")) + rename(FREERADIUS_ETC . "/raddb/certs/$varserial.pem",FREERADIUS_ETC . "/raddb/certs/client.pem"); // tar client-cert files - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); // Make all files in certs folder read/write only for root - exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/"); - log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); + exec("chmod -R 0600 " . FREERADIUS_ETC . "/raddb/certs/"); + log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in " . FREERADIUS_ETC . "/raddb/certs/client.tar"); } } else { @@ -2461,18 +2460,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { if ($arrcerts['varcertsdeleteall'] == 'yes') { // delete all old certificates and keys - deletes certs from pfsense cert-manager IN THIS FOLDER, too. - log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in " . FREERADIUS_BASE . "/etc/raddb/certs"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.der"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.p12"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/serial*"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/index*"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/dh"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/random"); - exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); + log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in " . FREERADIUS_ETC . "/raddb/certs"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.pem && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.pem && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.pem"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.der && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.der && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.der"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.csr && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.csr && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.csr"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.crt && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.crt && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.crt"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.key && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.key && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.key"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/ca.p12 && rm -f " . FREERADIUS_ETC . "/raddb/certs/server.p12 && rm -f " . FREERADIUS_ETC . "/raddb/certs/client.p12"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/serial*"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/index*"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/dh"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/random"); + exec("rm -f " . FREERADIUS_ETC . "/raddb/certs/client.tar"); // run fuctions to create new .cnf files based on user input from freeradiuscert.xml @@ -2481,28 +2480,28 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { freeradius_clientcertcnf_resync(); // this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created - if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) { - unlink(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr"); + if (file_exists(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr")) { + unlink(FREERADIUS_ETC . "/raddb/certs/pfsense_cert_mgr"); } // generate new DH and RANDOM file - log_error("freeRADIUS: Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs"); - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024"); - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + log_error("freeRADIUS: Creating new DH and random file in " . FREERADIUS_ETC . "/raddb/certs"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && dd if=/dev/urandom of=./random count=10"); - log_error("freeRADIUS: Creating new CA, Server and Client certs in " . FREERADIUS_BASE . "/etc/raddb/certs"); + log_error("freeRADIUS: Creating new CA, Server and Client certs in " . FREERADIUS_ETC . "/raddb/certs"); // make bootstrap executable and run to create certs based on .cnf files - exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); - exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); + exec("chmod 0770 " . FREERADIUS_ETC . "/raddb/certs/bootstrap"); + exec(FREERADIUS_ETC . "/raddb/certs/bootstrap"); // rename client generated 02.pem to client.pem - if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/02.pem")) - rename(FREERADIUS_BASE . "/etc/raddb/certs/02.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); + if (file_exists(FREERADIUS_ETC . "/raddb/certs/02.pem")) + rename(FREERADIUS_ETC . "/raddb/certs/02.pem",FREERADIUS_ETC . "/raddb/certs/client.pem"); // tar client-cert files - exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); - exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/"); - log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); + exec("cd " . FREERADIUS_ETC . "/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + exec("chmod -R 0600 " . FREERADIUS_ETC . "/raddb/certs/"); + log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in " . FREERADIUS_ETC . "/raddb/certs/client.tar"); // If there were changes on the certificates we need to restart freeradius restart_service('radiusd'); @@ -2689,7 +2688,7 @@ function freeradius_all_after_XMLRPC_resync() { log_error("FreeRADIUS: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); - exec(FREERADIUS_BASE . "/etc/rc.d/radiusd onerestart"); + exec(FREERADIUS_ETC . "/rc.d/radiusd onerestart"); } function freeradius_modulescounter_resync() { @@ -2812,7 +2811,7 @@ counter forever { } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/modules/counter'; + $filename = FREERADIUS_ETC . '/raddb/modules/counter'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2906,7 +2905,7 @@ nt-response=%{%{mschap:NT-Response}:-00}" } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/modules/mschap'; + $filename = FREERADIUS_ETC . '/raddb/modules/mschap'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2951,7 +2950,7 @@ realm ntdomain { } EOD; - $filename = FREERADIUS_BASE . '/etc/raddb/modules/realm'; + $filename = FREERADIUS_ETC . '/raddb/modules/realm'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -3004,37 +3003,37 @@ if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') { $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_key.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap1_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap1_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_ldap1_key.pem'; } if(base64_decode($ca_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap1_cert.pem", base64_decode($ca_cert['crt'])); - $conf['ssl_ca_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem"; + $conf['ssl_ca_cert1'] = FREERADIUS_ETC . "/raddb/certs/ca_ldap1_cert.pem"; } $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.key", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.key", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap1_cert.key'; + $conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/radius_ldap1_cert.key'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.crt", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt"; + $conf['ssl_server_cert1'] = FREERADIUS_ETC . "/raddb/certs/radius_ldap1_cert.crt"; } - $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs'; } $varmodulesldapstarttls = "yes"; } @@ -3051,37 +3050,37 @@ if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') { $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_key.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap2_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap2_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_ETC . '/raddb/certs/ca_ldap2_key.pem'; } if(base64_decode($ca_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/ca_ldap2_cert.pem", base64_decode($ca_cert['crt'])); - $conf['ssl_ca_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem"; + $conf['ssl_ca_cert2'] = FREERADIUS_ETC . "/raddb/certs/ca_ldap2_cert.pem"; } $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.key", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.key", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap2_cert.key'; + $conf['ssl_key'] = FREERADIUS_ETC . '/raddb/certs/radius_ldap2_cert.key'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt", + file_put_contents(FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.crt", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt"; + $conf['ssl_server_cert2'] = FREERADIUS_ETC . "/raddb/certs/radius_ldap2_cert.crt"; } - $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_ETC . '/raddb/certs'; } $varmodulesldap2starttls = "yes"; } @@ -3204,7 +3203,7 @@ else { $varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60'); $varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3'); $varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3'); -$raddb = FREERADIUS_BASE . '/etc/raddb'; +$raddb = FREERADIUS_ETC . '/raddb'; $conf .= << - -

- -
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 1d908ca4..99af4d4a 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -316,7 +316,7 @@ Enable Mobile-One-Time-Password varsettingsmotpenable - + checkbox varsettingsmotptimespan,varsettingsmotppasswordattempts,varsettingsmotpchecksumtype,varsettingsmotptokenlength diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 73eef873..05339d6b 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -785,7 +785,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12_1/2.2.5_3 pkg v1.6.7_3 + 2.1.12_1/2.2.5_3 pkg v1.6.8 RC1 2.2 nachtfalkeaw@web.de diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 4e788ab9..582aab54 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1062,7 +1062,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12_1/2.2.5_3 pkg v1.6.7_3 + 2.1.12_1/2.2.5_3 pkg v1.6.8 RC1 2.0 nachtfalkeaw@web.de diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 44df04ae..1baf6b62 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1049,7 +1049,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]> https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package System - 2.1.12_1/2.2.5_3 pkg v1.6.7_3 + 2.1.12_1/2.2.5_3 pkg v1.6.8 RC1 2.0 nachtfalkeaw@web.de -- cgit v1.2.3